After that, you create a subject line and text to send along with the accompanying exploit. The next windows allow you to specify the connect-back method and port. You can select any port, including HTTP and HTTPS. I often go with the latter to better hide malicious code from prying network attack detection tools.
Finally, you select the initial payload actions and wait. By simply ticking a checkmark, I was able to tell Impact to make an agent be persistent (live through a reboot) and to dump the currently logged on user's authentication credentials.
Once the email is sent, it's a matter of waiting for the target victim or victims to receive it. When a victim opens the email and/or attachment, the exploit goes off, takes control of the system, installs the Impact agent, and establishes a remote management channel back to the tester's computer. After that, the sky's the limit.
Using Impact made me yearn for the days when all I did was penetration testing -- man, the hours and hours I could have saved using Impact or a tool like it.
Some people complain about how easy pen testing tools make it to exploit an environment, as if the bad guys are usually wielding a mainstream or commercial tool. I tell critics that the bad guys have their own custom tools, specialized for their type of work. Most penetration testing tools, especially the ones I mentioned here, are made for IT security teams so that we can test our own defenses before the bad guys do. It also lets us demonstrate particular exploits to senior management more easily. The bad guy doesn't need these tools. We do.
This story, "Penetration testing on the cheap and not so cheap," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.